ci: generate provenance attestation from artifacts instead of files

Reference: actions/attest-build-provenance#290

.github/workflows/__package.yml

@@ -48,6 +48,7 @@ jobs:
 
     env:
       WORKING_DIR: packaging/tauri
+      ARTIFACT_NAME: jellyfin-vue_${{ runner.os }}
       ARTIFACTS_PATH: ${{
           format('target/release/{0}', matrix.platform == 'windows' && 'jellyfin-vue-tauri.exe' ||
           format('bundle/*/*.{0}', matrix.platform == 'macos' && 'dmg' || 'AppImage'))
@@ -86,19 +87,21 @@ jobs:
       - name: Build application 🛠️
         run: npm run build
 
-      - name: Create provenance attestation 🔏
-        uses: actions/[email protected]
-        continue-on-error: true
-        with:
-          subject-path: ${{ env.WORKING_DIR }}/${{ env.ARTIFACTS_PATH }}
-
       - name: Upload built application artifact ⬆️🐧🍎🪟
         uses: actions/[email protected]
+        id: artifact
         with:
           compression-level: 0
-          name: jellyfin-vue_${{ runner.os }}
+          name: ${{ env.ARTIFACT_NAME }}
           path: ${{ env.WORKING_DIR }}/${{ env.ARTIFACTS_PATH }}
 
+      - name: Create provenance attestation 🔏
+        uses: actions/[email protected]
+        continue-on-error: true
+        with:
+          subject-name: ${{ env.ARTIFACT_NAME }}
+          subject-digest: sha256:${{ steps.artifact.outputs.artifact-digest }}
+
   docker_inputs:
     name: Prepare Docker build variables 🏷️🐳
     runs-on: ubuntu-latest
@@ -171,6 +174,9 @@ jobs:
       matrix:
         platform: ${{ fromJson(inputs.architectures) }}
 
+    env:
+      ARTIFACT_NAME: docker_image-linux_${{ matrix.platform }}
+
     steps:
       - name: Checkout ⬇️
         uses: actions/[email protected]
@@ -205,16 +211,18 @@ jobs:
 
       - name: Upload Docker image as artifact ⬆️📦
         uses: actions/[email protected]
+        id: artifact
         with:
           compression-level: 0
-          name: docker_image-linux_${{ matrix.platform }}
+          name: ${{ env.ARTIFACT_NAME }}
           path: docker_image.tar
 
       - name: Create provenance attestation 🔏
         uses: actions/[email protected]
         continue-on-error: true
         with:
-          subject-path: docker_image.tar
+          subject-name: ${{ env.ARTIFACT_NAME }}
+          subject-digest: sha256:${{ steps.artifact.outputs.artifact-digest }}            
 
       - name: Upload cache artifact ⬆️⚙️
         uses: actions/[email protected]
@@ -230,6 +238,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: docker
 
+    env:
+      ARTIFACT_NAME: frontend
+
     steps:         
       - name: Download Docker image artifact 📦⬇️
         uses: actions/[email protected]
@@ -243,19 +254,21 @@ jobs:
           ASSETS=$(docker inspect $IMAGE_SHA --format='{{range .Config.Env}}{{println .}}{{end}}' | grep ^ASSETS= | cut -d '=' -f2-)
           docker cp $(docker create --name jf $IMAGE_SHA):$ASSETS/ ./dist
 
-      - name: Create provenance attestation 🔏
-        uses: actions/[email protected]
-        continue-on-error: true
-        with:
-          subject-path: dist
-
       - name: Upload client artifact ⬆️💻
         uses: actions/[email protected]
+        id: artifact
         with:
           compression-level: 0
-          name: frontend
+          name: ${{ env.ARTIFACT_NAME }}
           path: dist
 
+      - name: Create provenance attestation 🔏
+        uses: actions/[email protected]
+        continue-on-error: true
+        with:
+          subject-name: ${{ env.ARTIFACT_NAME }}
+          subject-digest: sha256:${{ steps.artifact.outputs.artifact-digest }}
+
   docker_merge:
     name: Merge Docker images 💿🐳
     runs-on: ubuntu-latest
@@ -317,6 +330,7 @@ jobs:
 
       - name: Remove cache artifacts 🗑️
         uses: geekyeggo/[email protected]
+        continue-on-error: true
         with:
           name: |
             buildx-*